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(57) Abstract: The present invention relates to a method and a system for protecting the user identifier of a service user from the 
service provider in a mobile cornmunication network, which service to be provided/used is a content service utilizing the geographical 
information of the service user. The system comprises a terminal device of the service user (1 1) for sending the service request to the 
service provider, equipment of the service provider (12) for generating the service response and sending it to the service user; and a 
mobile communication network (10) for transmitting the service request and the service response. In accordance with the invention, 
the system comprises an encrypting device (13) for generating the service-request-specific anonymous identifier corresponding to 
the user identifier; an identification database (13) for storing the user identifier and corresponding anonymous identifier, a service 
gateway (14) for retrieving the user identifier and the anonymous identifier corresponding to one another and for substituting the 
identifiers in question with one another in the service requests and service responses directed to the service gateway in question; 
and a location register (15) for retrieving the user identifier corresponding to the anonymous identifier as well as for retrieving the 
geographical information of the service user based on the user identifier in question. 
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A METHOD AND SYSTEM FOR PROTECTING A USER IDENTIFIER 

FIELD OF THE INVENTION 

The invention relates to telecommunication 
systems. More specifically, the invention relates to a 
5 method and a system for protecting the user identifier 
of a service user from the service provider in a mo- 
bile communication network, which service concerned is 
a content service utilizing the geographical informa- 
tion of the service user. 

10 

PRIOR ART 

The network operators of the mobile communi- 
cation networks have remarkably increased the number 
of their services and the co-operation with the serv- 

15 ice providers in the last few years. The number of 
services is wide, and most of the services do not re- 
quire any specific solutions of the operator, e.g. for 
guaranteeing the protection of identity of the user. 
Nowadays, the operators are, however, willing to de- 

20 velop, e.g. their content services, and the meaning of 
the protection of identity is remarkably emphasized, 
because the services provided may include sensitive 
information comparable, e.g. with the geographical in- 
formation. Generally, people speak about a client, 

25 which means the user of the service, and about a net- 
work operator or a telephone operator who offer net- 
work services, such as call transfer, call waiting, 
answering services, conference calls, etc. Now as a 
third party, there are the content providers who are 

30 hereinafter referred to as service providers. These 
interest groups provide content services, such as 
horoscopes, news services, timetables etc. The appear- 
ing of a third party in between the client and the 
network operator may cause changes to the compiling of 

35 such identifiers that may insult the protection of 
data privacy of the client, i.e. the user of the serv- 
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ice. According to the present legislation, the content 
provider cannot be given such information that might 
insult the protection of identity of the client. 

For example in the GSM, there are several 
5 registers defined that are different databases. On the 
home location register HLR, there are the subscriber 
details permanently stored that are needed in the pro- 
duction of services regardless of the fact of where 
the subscriber each time is located. Such subscriber 

10 details are, e.g. the international mobile subscriber 
identity (IMSI, International Mobile Subscriber Iden- 
tity) , the mobile station ISDN number (MSISDN) , addi- 
tional services agreed by the subscriber, certain in- 
formation of the location of that moment of the sub- 

15 scriber. Prior-art technique represents also the serv- 
icing mobile location centre (SMLC, Servicing Mobile 
Location Centre) , which is used in locating the posi- 
tion of that time of the user of the service. Before, 
people used to talk about a mobile location centre 

20 (MLC, Mobile Location Centre) , but now that the posi- 
tion of that moment of the subscriber of the services 
has to be accurately located, people have changed to 
the use of this aforementioned SMLC. 

On the visitor location register VLR, the 

25 subscriber details that are needed in production of 
the services are stored temporarily for the period the 
subscriber is located in the service area of the serv- 
icing mobile location centres of the VLR. When the mo- 
bile station is detected in the service area in ques- 

30 tion, the VLR asks the HLR for these details. In addi- 
tion to the information in the HLR, the temporary mo- 
bile subscriber identity (TMSI, Temporary Mobile Sub- 
scriber Identity) is stored on the VLR. This is used 
in signaling in radio path instead of the IMSI because 
35 the permanent identity is wished to keep secret. In 
addition, in the VLR there is the location area iden- 
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tity (LAI , Location Area Identity) of that time of the 
subscriber. 

The authentication centre (AUC, Authentica- 
tion Centre) is a database which includes subscriber 
5 details relating to the information security. The AUC 
checks whether the subscriber is the one who he or she 
claims to be (IMSI/TMSI) . AUC also includes the keys 
of the encryption used in the radio path. 

In addition, as for prior art, the meaning of 
10 the wireless application protocol (WAP, Wireless Ap- 
plication Protocol) is not to be ignored as an alter- 
native way of action when planning components managing 
the service request of the network operator. The use 
of the wireless application protocol is becoming com- 
15 mon in solutions in which a connection is needed be- 
tween portable terminal devices, such as mobile sta- 
tions and the Internet applications, e.g. electronic 
mail, WWW (World Wide Web), news groups. The wireless 
application protocol provides an architecture which 
20 adapts mobile phones, browser programs of mobile 
phones, and the WWW to work as a functional entity. A 
problem has become the amount of information transmit- 
ted in the network between the client, network opera- 
tor and the service provider. The operator has to be 
25 able to take care of the protection of identity of the 
client and to try to prevent information from ending 
up into the hands of those not concerned. At the same 
time, the operator has to be able to pick up from the 
information flow the essential information needed in 
30 order to be able to address the service to the right 
subscriber . 



OBJECTIVE OF THE INVENTION 

The objective of the present invention is to 
35 disclose a new kind of method and system that elimi- 
nates the disadvantages referred to above, or at least 
significantly alleviates them. One specific objective 



WO 01/28273 



4 



PCT/FIOO/00873 



of the invention is to disclose a method and a system 
that make it possible to protect the user identifier 
of a service user from the service provider in a mo- 
bile communication network. However, the protection is 
5 effected at such a level that the service provider 
gets the information sufficient enough for him or her 
to be able to address the service to the right sub- 
scriber. 

0 BRIEF DESCRIPTION OF THE INVENTION 

In the present invention, a user identifier 
of a service user is protected from the service pro- 
vider in a mobile communication network, such as the 
GSM network (Global System for Mobile Telecommunica- 

5 tions, GSM) . The term "service provider" refers to the 
provider of the content services in distinction from 
the telephone operator providing network services. 
Correspondingly, the term "service" refers to the con- 
tent service in distinction from the network services. 

0 More specifically, the service is hereinafter used to 
refer to such a content service that utilizes the geo- 
graphical information of the service user. 

A service request containing the user identi- 
fier of the service user is sent from the terminal de- 

5 vice of the service user. The user identifier means 
the way of identifying the user unambiguously used by 
the mobile station in use and known in itself, such as 
the MSISDN number (Mobile Subscriber Integrated Serv- 
ices Digital Network, MSISDN) , IMEI code ( Interna - 

0 tional Mobile station Equipment Identity, IMEI) or the 
TMSI identity (Temporary Mobile Subscriber Identity, 
TMSI) . The service request in question is transmitted 
to the equipment of the service provider by means of 
which, a service response is generated. The service 

5 response is sent from the equipment of the service 
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provider, and is transmitted to the terminal device of 
the service user. 

In accordance with the invention, the service 
request is directed to the service gateway which asks 
5 the encrypting party for the anonymous identifier cor- 
responding to the user identifier in question. The 
anonymous identifier in question is generated by means 
of an encryption device. The user identifier and the 
corresponding anonymous identifier are stored on an 

10 identification database. The anonymous identifier is 
sent to the service gateway in which the service re- 
quest is modified in such a way that the user identi- 
fier is substituted with the anonymous identifier. Af- 
ter this, the modified service request is directed to 

15 the equipment of the service provider. 

Further in accordance with the invention, a 
geographical information request containing the anony- 
mous identifier is sent from the equipment of the 
service provider to the location register, which re- 

20 trieves from the database a user identifier corre- 
sponding to the anonymous identifier in question. The 
user identifier in question helps to find out the geo- 
graphical information of the service user. The geo- 
graphical information and the corresponding anonymous 

25 identifier are sent to the equipment of the service 
provider. The service response is generated based on 
the geographical information in question. The service 
response containing the anonymous identifier is di- 
rected to the service gateway which retrieves from the 

30 identification database a user identifier correspond- 
ing to the anonymous identifier. The service response 
is directed to the terminal device of the service user 
by means of the user identifier in question. 

In an embodiment of the invention, the user 

35 identifier and the corresponding anonymous identifier 
are eliminated from the identification database after 
a predetermined time. 
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In an embodiment of the invention, the user 
identifier and the corresponding anonymous identifier 
are eliminated from the identification database after 
a predetermined number of inquiries. 

In an embodiment of the invention, the geo- 
graphical information is found out by retrieving it 
from the SMLC centre (Servicing Mobile Location Cen- 
tre, SMLOof the mobile communication network. 

In an embodiment of the invention, the geo- 
graphical information is found out by retrieving it 
from the location database maintained by the location 
register. 

In an embodiment of the invention, the serv- 
ice gateway is arranged in conjunction with the SMS 
15 centre (Short Message Service, SMS) of the mobile com- 
munication network. 

In an embodiment of the invention, the serv- 
ice gateway is arranged in conjunction with the WAP 
gateway (Wireless Application Protocol, WAP) of the 
2 0 mobile communication network. 

In an embodiment of the invention, the user 
identifier is the MSISDN number of the terminal device 
of the service user. 

In an embodiment of the invention, the mobile 

2 5 communication network is a GSM network. 

As compared with prior art the present inven- 
tion provides the advantage that it makes it possible 
to protect the user identifier of the service user 
from the content provider. This on the other hand 

3 0 makes it possible to develop and/or provide such con- 

tent services of a mobile communication network that 
utilize the geographical information of the service 
user because thanks to the invention, no sensitive in- 
formation resulting from the combination of the iden- 
35 tity and the location of the service user is going to 
end up to the third party, i.e. the content provider. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

In the following section, the invention will 
be described by the aid of the attached examples of 
its embodiments with reference to the attached draw- 
5 ing, in which 

Fig. 1 schematically represents one system of 
the invention; and 

Fig. 2 schematically represents another sys- 
tem of the invention. 

10 

DETAILED DESCRIPTION OF THE INVENTION 

Fig. 1 is a flow chart illustrating one sys- 
tem of the invention. In the figure, the terminal de- 
vice of the service user 11 has been connected to the 

15 mobile communication network 10, e.g. to a digital mo- 
bile network. From the aforementioned terminal device 
11, a service request is sent to the mobile communica- 
tion network 10. Connected to the aforementioned mo- 
bile communication network is also the equipment of 

2 0 the service provider 12, which may be, e.g. a computer 
or some other suitable equipment or a software con- 
figuration. The aforementioned equipment is used to 
maintain, e.g. the content services and address them 
to right clients. The system also comprises a service 

25 gateway 14 which is connected to the mobile communica- 
tion network 10 and which is arranged, e.g. in con- 
junction with the SMS centre or the WAP gateway. Fur- 
ther, the service gateway may be implemented as a 
separate entity. In addition, the system comprises, in 

30 accordance with the invention, an encrypting device 13 
in whose conjunction there is an identification data- 
base 13 arranged. In addition, the system comprises, 
in accordance with the invention, a location register 
15 in whose conjunction it is possible to arrange a 

35 location database 15 for maintaining the geographical 
information. 
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Fig. 2 is a flow chart illustrating another 
method of the invention. At a step 21, from the termi- 
nal device of the service user, such as the GSM tele- 
phone, a service request containing the user identi- 
5 fier of the service user is sent. In the exemplary 
case as illustrated in the figure, the user identifier 
is the MSISDN number of the service user. In accor- 
dance with the invention, at a step 22, the mobile 
communication network directs the service request to 

10 the service gateway which at a step 23 sends to the 
encrypting device a request to give the anonymous 
identifier corresponding to the user identifier in 
question. The aforementioned anonymous identifier is 
generated by means of the encrypting device, and the 

15 user identifier and the corresponding anonymous iden- 
tifier are stored on the identification database at a 
step 24. At a step 25, the anonymous identifier is 
sent to the service gateway which modifies the service 
request by substituting the user identifier with the 

20 anonymous identifier. After this, the modified service 
request is directed to the equipment of the service 
provider at a step 26. At a step 27, from the equip- 
ment of the service provider, a geographical informa- 
tion request containing the anonymous identifier is 

25 sent to the location register, which at the steps 28, 
29 and 3 0 finds out the user identifier corresponding 
to the anonymous identifier in question by means of 
the identification database and/or the encrypting de- 
vice. By means of the user identifier in question, the 

3 0 geographical information of the service user is found 
out at a step 31 using the location register. The geo- 
graphical information is found out, e.g. by retrieving 
it from the SMLC centre (Servicing Mobile Location 
Centre, SMLC) of the mobile communication network. Al- 

35 ternatively, e.g. in the location register, a location 
database is maintained from which the geographical in- 
formation is retrieved, if necessary. At a step 32, 
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the geographical information and the anonymous identi- 
fier corresponding to it are sent to the equipment of 
the service provider. The service response is gener- 
ated based on the geographical information in question 
5 at a step 33. At a step 34, the service response con- 
taining the anonymous identifier is directed to the 
service gateway, which retrieves the user identifier 
corresponding to the anonymous identifier from the 
identification database by repeating the steps. The 

10 service response is directed to the terminal device of 
the service user based on the user identifier in ques- 
tion at steps 35-36. 

The invention is not restricted merely to the 
examples of its embodiments, instead many variations 

15 are possible within the scope of the inventive idea. 
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CLAIMS 

1. A method for protecting the user identi- 
fier of a service user from the service provider in a 
mobile communication network, which service to be pro- 
5 vided/used in question is a content service utilizing 
the geographical information of the service user and 
which method comprises the steps of: 

sending the service request containing the 
user identifier of the service user from the terminal 
10 device of the service user, 

transmitting the service request in question 
to the equipment of the service provider, 

generating the service response using the 
equipment of the service provider, 
15 sending the service response from the equip- 

ment of the service provider, and 

transmitting the service response to the ter- 
minal device of the service user, 

characterised in that the method 
20 further comprises the steps of: 

directing the service request to the service 

gateway, 

asking the encrypting party for the service - 
request-specific anonymous identifier corresponding to 
25 the user identifier in question, 

generating the anonymous identifier by means 
of the encryption device and storing the user identi- 
fier and the corresponding anonymous identifier on the 
identification database, 
30 sending the anonymous identifier to the serv- 

ice gateway, 

modifying the service request by substituting 
the user identifier with the anonymous identifier, 

directing the modified service request to the 
3 5 equipment of the service provider, 
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sending a geographical information request 
containing the anonymous identifier from the equipment 
of the service provider to the location register, 

retrieving the user identifier corresponding 
5 to the anonymous identifier in question from the iden- 
tification database to the location register, 

finding out the geographical information of 
the service user in question by means of the user 
identifier in question, 
10 sending the geographical information and the 

corresponding anonymous identifier to the equipment of 
the service provider, 

generating the service response based on the 
geographical information in question, 
15 directing the service response containing the 

anonymous identifier to the service gateway, 

retrieving the user identifier corresponding 
to the anonymous identifier from the identification 
database, and 

20 directing the service response to the termi- 

nal device of the service user by means of the user 
identifier in question. 

2. A method as defined in claim 1, char- 
acterised in that the method further comprises 

25 the step of: 

eliminating the user identifier and the cor- 
responding anonymous identifier from the identifica- 
tion database after a predetermined time. 

3. A method as defined in claim 1, char- 
30 acterised in that the method further comprises 

the step of: 

eliminating the user identifier and the cor- 
responding anonymous identifier from the identifica- 
tion database after a predetermined number of inquir- 
35 ies. 
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4. A method as defined in any one of the pre- 
ceding claims 1, 2, or 3, characterised in 
that the method further comprises the step of: 

finding out the location information by re- 
5 trieving it from the SMLC centre of the mobile commu- 
nication network. 

5. A method as defined in any one of the pre- 
ceding claims 1, 2, or 3, characterised in 
that the method further comprises the step of : 

10 finding out the geographical information by 

retrieving it from the location database maintained by 
the location register. 

6. A system for protecting the user identi- 
fier of a service user from the service provider in a 

15 mobile communication network, which service to be pro- 
vided/used is a content service utilizing the geo- 
graphical information of the service user and which 
system comprises: 

a terminal device of the service user (11) 
20 for sending the service request to the service pro- 
vider, which service request comprises the user iden- 
tifier of the service user, 

equipment of the service provider (12) for 
generating the service response and sending it to the 
25 service user, and 

a mobile communication network (10) for 
transmitting the service request and the service re- 
sponse, 

characterised in that the system 
30 further comprises: 

an encrypting device (13) for generating the 
service- request -specific anonymous identifier corre- 
sponding to the user identifier, 

an identification database (13) for storing 
3 5 the user identifier and the corresponding anonymous 
identifier, 
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a service gateway (14) for retrieving the 
user identifier and the anonymous identifier corre- 
sponding to one another and for substituting the iden- 
tifiers in question with one another in the service 
5 requests and/or service responses directed to the 
service gateway in question, and 

a location register (15) for retrieving the 
user identifier corresponding to the anonymous identi- 
fier and for retrieving the geographical information 
10 of the service user based on the user identifier in 
question. 

7. A system as defined in claim 6, char- 
acterised in that the location register (15) 
comprises : 

15 means (15) for retrieving the geographical 

information from the SMLC centre of the mobile commu- 
nication network (10) . 

8. A system as defined claim 6, charac- 
terised in that the location register (15) com- 

20 prises: 

a location database (15) for maintaining the 
geographical information. 

9. A system as defined in any one of the pre- 
ceding claims 6, 7, or 8, characterised in 

2 5 that the service gateway (14) has been arranged in 
conjunction with the SMS centre of the mobile communi- 
cation network (10) . 

10. A system as defined in any one of the 
preceding claims 1, 2, or 3, characterised in 

30 that the service gateway (14) has been arranged in 
conjunction with the WAP gateway of the mobile commu- 
nication network (10) . 

11. A system as defined in any one of the 
preceding claims 6, 7, 8, 9, or 10, character- 

35 i s e d in that the user identifier is the MSISDN num- 
ber of the terminal device of the service user (11) . 
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12. A system as defined in any one of the 
preceding claims 6, 7, 8, 9, 10, or 11, charac- 
terised in that the mobile communication network 
(10) is a GSM network. 



WO 01/28273 



PCT7FI00/00873 




WO 01/28273 



PCT/FI00/00873 



2/2 



C 8 
O Q. 

.&.S3 
£8 



c 
o 




GO O 



JO 

• 1-4 

-8 



o 

o 



o 
u 



13 

.9 o 



J* 



CO 

o > -m ^ 

§ 1 2 gj 

w ^ "fi O 

cd ^ T3 5 

8 C * S 

C £ <D o 

S3 c3 



OO 

a 1 
o 



SI ^ 

T3 



>> 




c 




o 










he 


a 






00 




£ 






O 




6 v 




3 ir 

£ 00 

ft o 

3 & 
o 



J- 



* tl 

3 o cS 



2 



1^1 

O 
C 



G 

T3 



oo 
0) 



ON 
(N 



3 

o 
g 
c 



o 



oo 
D 





A 




O 




CO 










<u 




00 














J- 






00 






+-> 


I 


en 


(-1 





CO 



00 

S3 

5 



or 

§ b 

s 's 

C3 



00 

§ 



00 



00 

§ 



00 

V 

a 1 
a 



8 

e 



^ m 

00 

§ 

00 



INTERNATIONAL SEARCH REPORT 



International application No. 

PCT/FI 00/00873 



A. CLASSIFICATION OF SUBJECT MATTER 



IPC7: H04Q 7/38 

According to International Patent Classification (IPC) or to both national classification and IPC 



B. FIELDS SEARCHED 



Minimum documentation searched (classification system followed by classification symbols) 

IPC7: H04Q 



Documentation searched other than minimum documentation to the extent that such documents are included in the fields searched 

SE,DK,FI,N0 classes as above 



Electronic data base consulted during the international search (name of data base and, where practicable, search terms used) 



C. DOCUMENTS CONSIDERED TO BE RELEVANT 



Category 



Citation of document, with indication, where appropriate, of the relevant passages 



Relevant to claim No. 



P,A 



"Achieving User Privacy in Mobile Networks" 
1997-12-08 

B Askwith, M Merabti, Q Shi, K Whiteley 
See the whole document 



EP 0982958 A2 (LUCENT TECHNOLOGIES INC.), 

1 March 2000 (01.03.00), page 3, line 10 - line 30, 
abstract 



JP 10191447 A (N T T IDO TSUSHINMO KK), 

21 July 1998 (21.07.98), see the whole document 



1-12 



1-12 



1-12 



I ^rlhcr documenLs are listed in the continuation of Box C. Q(| See patent famii; 



y annex. 



Special categories of cited documents: 

'A" document defining the general state of the art which is not considered 
to be of particular relevance 

R" earlier application or patent but published on or after the international 
filing date 

X" document which may throw doubt? on priority claim(s) or which is 
cited to establish the publication date of another citation or other 
special reason (as specified) 

V document referring to an oral disclosure, use, exhibition or other 
means 

P" document published prior to the international filing dale hut later than 
the priority date claimed 



^ later document published after the international filing date or priority 
date and not in conflict with the application but cited to understand 
the principle or theory underlying the invention 

"X" document of particular relevance: the claimed invention cannot be 
considered novel or cannot be considered to involve an inventive 
step when the document is taken alone 

* Y" document of particular relevance: the claimed invention cannot be 
considered to involve an inventive step when the document is 
combined with one or more other such documents, such combination 
being obvious to a person skilled in the art 

*cV document member of the same patent family 



Date of the actual completion of the international search 

26 January 2001 



Date of mailing of the international search report 

2 9 -01- 2001 



Name and mailing address of the ISA/ 
Swedish Patent Office 
Box 5055, S-102 42 STOCKHOLM 
Facsimile No. + 46 8 666 02 86 



Form PCT/lSA/210 (second sheet) (July 1998) 



Authorized officer 

Thomas Tholin/JAn 

Telephone No. + 46 8 782 25 00 



IN TERNATIONAL SEARCH REPORT 

Information on patent family members 



27/12/00 



International application No. 

PCT/FI 00/00873 



Patent document 
cited in search report 



Publication 
date 



Patent family 
member (s) 



Publication 
date 



EP 



0982958 A2 01/03/00 



AU 
BR 
CN 
JP 



4476099 A 
9903783 A 
1256596 A 
2000115161 A 



16/03/00 
05/09/00 
14/06/00 
21/04/00 



JP 



10191447 A 21/07/98 



NONE 



Form PCT/1S A/210 (patem family annex) (July 1998) 



